-
漏洞信息 (F39715)

Debian Security Advisory DSA 791-1 - Max Vozeler discovered that the lockmail program from maildrop, a simple mail delivery agent with filtering abilities, does not drop group privileges before executing commands given on the commandline, allowing an attacker to execute arbitrary commands under with group mail privileges.

-
漏洞讨论

A local attacker can execute arbitrary commands with group mail privileges.

Maildrop 1.5.3 is affected by this issue. Other versions may be vulnerable as well.

-
漏洞利用

An exploit is not required.

-
解决方案

Debian has released advisory DSA 791-1 to address this issue. Please see the referenced advisory for more information.

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.